mkimage: Support signing 'auto' FITs
This adds support for signing images in auto-generated FITs. To do this,
we need to add a signature node. The algorithm name property already has
its own option, but we need one for the key name hint. We could have
gone the -G route and added an explicit name for the public key (like
what is done for the private key). However, many places assume the
public key can be constructed from the key dir and hint, and I don't
want to do the refactoring necessary.
As a consequence of this, it is now easier to add public keys to an
existing image without signing something. This could be done all along,
but now you don't have to create an its just to do it. Ideally, we
wouldn't create a FIT at the end. This could be done by calling
fit_image_setup_sig/info.crypto->add_verify_data directly.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
diff --git a/tools/mkimage.c b/tools/mkimage.c
index 5c6a60e..0e1198b 100644
--- a/tools/mkimage.c
+++ b/tools/mkimage.c
@@ -119,6 +119,7 @@
"Signing / verified boot options: [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r] [-N engine]\n"
" -k => set directory containing private keys\n"
" -K => write public keys to this .dtb file\n"
+ " -g => set key name hint\n"
" -G => use this signing key (in lieu of -k)\n"
" -c => add comment in signature node\n"
" -F => re-sign existing FIT image\n"
@@ -163,7 +164,7 @@
int opt;
while ((opt = getopt(argc, argv,
- "a:A:b:B:c:C:d:D:e:Ef:FG:k:i:K:ln:N:p:o:O:rR:qstT:vVx")) != -1) {
+ "a:A:b:B:c:C:d:D:e:Ef:Fg:G:k:i:K:ln:N:p:o:O:rR:qstT:vVx")) != -1) {
switch (opt) {
case 'a':
params.addr = strtoull(optarg, &ptr, 16);
@@ -239,6 +240,8 @@
params.type = IH_TYPE_FLATDT;
params.fflag = 1;
break;
+ case 'g':
+ params.keyname = optarg;
case 'G':
params.keyfile = optarg;
break;